The past year has seen an unprecedented rise in the use of online service providers. In particular, the rise in home-working has prompted many organisations to 'upgrade' their current IT offering, and move to solutions which are more suitable for remote-working.
Cloud-based solutions offer online tools to assist organisations with business continuity, despite the restrictions around physical working environments. Whilst these tools have undoubtedly ensured that working life is able to continue, they are not without their risks.
The provider is likely to be your organisation's data processor under the UK GDPR in respect of the personal data that will be stored on the platform. This will be the case if the provider processes personal data on your behalf, following your instructions. As such, the usual considerations will apply here that would apply to any other data processor.
In the first instance, you will need to carry out appropriate due diligence on the proposed provider to check that their use of the personal data will comply with data protection law. Part of this process will be satisfying yourselves as to the information security practices the provider has in place. Some questions that you may want to look into include:
Sometimes providers of online services position themselves as a data controller rather than a data processor in respect of the data held. If they are referring to themselves as a data controller, or giving themselves powers to use personal data for their own purposes then this may present a risk to your organisation which you should consider.
If personal data will be transferred outside of the UK to a country not considered to have adequate data protection laws, you will need to ensure that additional safeguards are in place for compliance. Fortunately, all countries in the European Economic Area (EEA) and some others (eg New Zealand and Japan) are considered to have adequate data protection laws under the UK GDPR. Where the data is being transferred outside of these countries, the appropriate safeguard might be ensuring that the standard contractual clauses ('SCCs') are incorporated into the agreement with the provider.
SCCs are model data protection clauses that can be used to make an international transfer of personal data lawful. However, following a court decision last year, using the SCCs may not be sufficient on their own and you may need to put additional safeguards in place for compliance. What safeguards are needed should be assessed on a case-by-case basis. For example, if the data is encrypted such that it cannot be accessed by the provider or anyone other than your organisation, then this may count as a suitable safeguard, but this will not be appropriate in all cases.
Last week the EU published a draft decision stating that the UK has adequate data protection laws. If adopted this decision will allow data to flow freely from the EEA to the UK. Data can already flow freely from the UK to the EEA so if your organisation is solely based in the UK this is unlikely to directly affect your compliance but it will make using service providers in the EEA easier.
To comply with the requirement to demonstrate your compliance, you should document the process outlined above. For example, there should be a record of the due diligence carried out. You should also make sure that your privacy notices cover the type of activity that you will be using the service provider for.
Cyber-crime, including scenarios where ransoms are demanded to decrypt data or destroy improperly taken copies, is becoming much more commonplace in the digital age. You may remember that the NHS was subject to the WannaCry ransomware attack a few years ago, which illustrated the serious nature of these attacks, particularly where sensitive information is compromised. To assist with mitigating the risks here we recommend the following actions:
If your organisation is in a situation where it needs to report a breach to the ICO in circumstances where the breach was caused by a processor, then the ICO is likely to be interested in whether the steps outlined above were taken.
In our experience, the ICO is far less likely to take enforcement action against an organisation if the arrangement is compliant and appropriate checks were carried out on the processor.